A Framework to Automate Cloud based Service Attacks Detection and Prevention

With the increasing demand for high availability, scalability and cost minimization, the adaptation of cloud computing is also increasing. By the demand from the data, consumer or the customers of the applications, the service providers or the application owners are migrating all the applications into the cloud. These migrations of the traditional applications and deploying new applications are benefiting the consumers and the service providers. The consumers are getting the higher availability of the applications and in the other hand, the consumers of the applications are getting benefits from of the cost reduction by optimal scalability and deploying additional features with the least cost, which intern providing the better customer satisfaction. Nevertheless, this migrations and new deployments are attracting the attention of the hackers and attackers as well. In the recent past, several attacks are reported on various popular services like search engines, storage services, and critical application ranging from healthcare to defence. The attacks are sometimes limited to the data exploration, where the attackers only consume the data and sometimes the attackers destroy crucial services. The major challenge in detecting these attacks is mostly identifying the nature of the connection request. Also, identifying the attacks are not sufficient in providing the security for the cloud services and must be deployed as security as a service in the applications or the services or in the data centre as automatic and continuous measures. Various research endeavours have shown critical enhancements in the on-going past for recognizing the security attacks. Nonetheless, these attempts have not provided any solution in preventing the security attacks. Also, the existing methods as mentioned are not automated and cannot be included in the services. Thus, this work provides a unique automated framework solution for detecting the application traffic pattern and generates the rule sets for detecting any anomalies in the request types. The major outcome of this work is to identify the attack types and prevent further damages to the cloud services with a minimal computational load. The additional benefits from this work are the preventive measure for popular attack types. The work also demonstrates the ability to detect a new type of attacks based on traffic pattern analysis and provides preventive measures for making the cloud computing application hosting industry a safer place. Keywords—Data breach; HoA; insider threat; malware injection; ACS; insecure APIs; DoS; automated attack detection; automated prevention; characteristics based detection


I. INTRODUCTION
The remote attacks in the cloud computing environments are generally carried out by executing malicious commands through the connection requests to the virtual machines of the cloud services.The work by Z. Su et al. [1] has demonstrated the effects of the attacks and damage situations on the services.As also demonstrated by the A. Stasinopoulos et al. [2], the attackers can deploy powerful commands to permanently damage the authentication protocols and can obtain access to any of the cloud services.The attacks are not limited to the single applications.Any attacks on the data centre authentication, such as the SSH key based authentications, can generate access viability to all the applications hosted on that datacentre.The analysis report from AWS, Analysis of SSH Attacks on Amazon EC2 [3], is a significant proof of the collateral damage.
The best possible way of preventing these attacks on the security protocols are making the network architecture virtual and continuously changing.Also, the pattern of the connection requests must be analysed in order to make an early prediction of the possible attacks.The pattern of the connection requests must be also analysed against the application type for stopping the algorithm making false detection of the attacks.
In this direction of research, a number of research outcomes are presented by various researchers.The outcome from G. Badishi et al. [4] has demonstrated the strategy for detecting DoS attacks on the cloud networks and the preventive measure.The enhancements of the previously reported work are again enhanced by Q. Jia et al. [5] in the year of 2013.Regardless to mention the works of W. G. Morein et al. [6] and A. Stavrou et al. [7] also must be considered as popular solutions to the DoS attacks on cloud services.Nevertheless, these outcomes are majorly focused on the DoS attacks and do not address other types of attacks.
Thus the demand from the research and application industry on cloud computing is to provide a generic solution for detection and prevention of all major types of attacks on cloud and also build the capability to detect newer types of attacks.Henceforth, this work objectifies these challenges as deliverable outcomes.www.ijacsa.thesai.org The rest of the work is elaborated as, in the Section-II the detailed review of the literature is carried out with the limitations, in the Section-III the analysis of the attack characteristics are performed, further, the deployment of the security measure as preventive actions are elaborated in the Section-IV, Section-V discusses about the automatic detection and prevention framework components with details, the driving algorithm of this work is elaborated in the Section-VI, the comparative analysis is carried out in the Section-VII, the obtained results are discussed in the Section-VIII and the final conclusion of this work is presented in the Section-IX.

II. OUTCOMES FROM THE PARALLEL RESEARCH WORKS
The attacks on cloud services, networks, resources and infrastructure are not recent.A number of attacks are reported every year violating the security policies, destroying the resources and making application data visible over the networks.However, the number of attacks has increased in the recent years.As a counter measure the number of researches is also carried out in the recent past.Nonetheless, all these attempts do not solve all attack types and have specific limitations and advantages.In this section of the work, the outcomes from the parallel researches are discussed.
It is often identified that, the security attacks are caused due to misconfiguration of the load balancing or the routing algorithms.The work by B. Abali et al. [8] has elaborated the misconfiguration and correction strategies of routing algorithms on cloud networks.Considering this phenomenon, the work by F. Araujo et al. [9] elaborates the concept of misdirecting the attackers.This policy cannot prevent the attacks, but can cause significant delay in the attacks.Yet another violation of the security is the attacks on the resources of the infrastructures.The recommendation from A. Brzeczko et al. [10] is a well-accepted solution securing the infrastructure on cloud using adaptive models.
As mentioned by T. E. Carroll et al. [11], the network configurations and analysis of the network traffic can lead to a high success rate in detecting the attacks.Nevertheless, this detection must be backed up with a suitable prevention mechanism.Also, the data access pattern can be an elaborative evidence for data breaches as suggested by L. Cheng et al. [12].The improvements over the standard network architectures were able to resist maximum attacks on the cloud services.The work by A. Chowdhary et al. [13] suggested the recent improvements by deploying the SDN strategies.
The attacks on the frameworks are also been reported in the year of 2017 as the report from "The Apache Struts Project Management Committee" is published [14].This indicates the mandate of including the security as a service component to all deployable frameworks on the cloud.
The mobile cloud computing agents, in spite of the location hiding policies, are not safe from the attacks.The work by D. Evans et al. [15] elaborates the attack types on the mobile cloud agents and few counter measures.The complexity of this solution is the increasing load on the routing algorithms.This problem was well addressed by A. Gupta et al. [16] with the tree based routing algorithm.Nonetheless, the reductions of the routing complexity of the requests have imposed few limitations such as region specificity of the agents.However, the work by V. Heydari et al. [17] could successfully address this problem.This solution was backed up by the works from J. B. Hong et al. [18] and J. H. Jafarian et al. [19].
Finally, as discussed in the work by N. Virvilis et al. [20] a good number of further researches are required to make the cloud services more secure and more so, provide a generic solution to address all attack types under a single framework.
Henceforth, these works identifies the challenges in the existing solutions and provide the novel solution, which is discussed in the further sections of this work.

III. ATTACK TYPES AND CHARACTERISTICS IDENTIFICATION
The individual attack types are the key point of effective detection of the attacks and further providing the preventions.Thus in the section of the work, the attack types are analysed with the proposed characteristics metric.

A. Data Breaches
The data breaches are the first types of attacks can be encountered on the cloud environments.Various studies have shown that this type of attack was encountered even before the cloud computing paradigm came into existence.During the data breach attack, the sensitive data is exposed to unauthorised access.This attack types can be identified if there is a high volume of data transfer in the network, which is unusual for the regular traffic.Also, the unusual access restrictions for any user profiles can be a significant hint of data breaches.

B. Hijacking of Accounts (HoA)
The second types of attack are the hijacking of the accounts or HoA.During this attack the user is often signed out of the portal and cannot regain access to the system.During this attack the hacker can obtain sensitive information from the accounts or can perform random tasks, which will be vulnerable to the application or the data.If any use in the system loses access to the resources or the account, then it is a clear indication of HoA.www.ijacsa.thesai.org

C. Insider Threat
The third type of the attack can be most unlikely to happen, but with the deep drive into the security aspects reveal that this type of attack can happen.During this type of attacks, the attacker may make unauthorised access requests multiple times.

D. Malware Injection
The fourth type attack is the malware injection attack.This type of attack is usually introduced in the network by deploying a false instance in the cloud data centre.This instance eventually hampers the network and service functionalities.A sudden chance in the network architecture of unusual routing of the requests can be a hint for malware injection.

E. Abuse of Cloud Services (ACS)
The fifth type of attack is the ACS attack.This type of attacks is eventually generated by the legal users by hosting illegal applications of the contents on the cloud.The detection of this type of attacks is limited to the report from the victim.Also, this type of attacks can be detected by validating the application hosting rules from every country and then matching with the application characteristics.

F. Insecure APIs
The sixth type of attack is the insecure API attack.The API based access can be highly beneficial and at the same time highly risky for the hosted applications.Due to the vulnerable nature for authentication or the access or the effects on the access request encryption.The insure API access can be identified by analysing unauthorized access request and violation of encryptions.

G. Denial of Service (DoS)
The last popular attack type is the DoS attacks.This attack can make permanent damage to the applications by making the applications or part of the applications unavailable to the users.The detection of the DoS attacks can be carried out by identifying the random unavailability of the resources.
Henceforth with the detailed understanding of the attack types, in this section of the work, the characterization of the attacks are also formulated [Table 1].Step -3.End Step Then mark as DoS Step -11.Report the attack type Furthermore, in the next section of the work, the proposed prevention model is elaborated.

IV. SECURITY POLICY MANAGEMENT
The proposed attack detection algorithm can identify the attack types and can further enable the security policy management protocols to be implemented.The detection of the attacks can temporarily relieve the network from the attackers, but it cannot prevent from the damage.Thus in this section of the work, the security policy management and deployment algorithm must be elaborated.
Though the applicability of the policies significant depends of the characteristics of the attacks and the predefined measures for prevention must be furnished first.Hence the preventive measures are elaborated first in this section of the work [Table 2].Further, the security policy management and deployment algorithm is elaborated here: Step -8.Deploy the combined security policy Further the complete automated framework as proposed in this work is elaborated in the next section of the work.

V. PROPOSED AUTOMATED FRAMEWORK
As discussed in the previous sections of this work, a number of research attempts are carried out for detecting and preventing the attacks on the cloud and cloud services.The existing solutions are limited for two major reasons:  The parallel research outcomes are not applicable to be deployed as security as service.Thus cannot be incorporated within the services hosted on the cloud.
To make the detection and prevention methods coupled into the services, the framework must be automated.The proposed framework in this work is automated can detect random attack events.
 Also, the parallel research outcomes are focused on single attack types.Thus detection of the newer attack types cannot be detected and prevented.In order to achieve this goal, the proposed framework is designed to be characteristics based, so that any new attack can be detected based on the violation of the normal application or request properties.
Henceforth, the proposed automated characterization based framework is elaborated here in this section of the work [Fig.1].
Further in the next section of the work, the elaboration on the process flow and the algorithms is furnished.Step Henceforth, the comparative analysis is presented in the next section of this work.

VII. COMPARATIVE SECURITY ANALYSIS
In order to claim the superiority of the proposed method, there must be a comparative analysis.Hence, in this section of the work, the comparative analysis is carried out [Table 3].
Thus it is natural to realize that the proposed framework and the algorithms are significantly better performing compared to the other parallel research outcomes.
The ranking analysis is also visualized graphically [Fig.2].
Hereafter, with the comparative analysis, the results are discussed in the next section of the work.

C. Data Transfer Rate Identification & Validation for Attacks
Based on the application type the threshold can be set for the data transfer rate.The connections violating the predefined transfer rates can be identified as attacks.The results from this component are furnished here [Table 8].
The analysis result is visualized graphically here [Fig.5].

D. Connection Duration Identification & Validation for Attacks
The duration for the connection indicates the significance of the attacks.In case of a standard application type, the connection duration can be predetermined and in case of over timing of any connections can be a potential attack.The results from this component are elaborated here [Table 9].

E. Resource Access Time Stamp Validation & Validation of Attacks
The resource access time stamps for the allowed or for the restricted resources can be a deterministic factor for detection of the attacks.The resources which are identified by the service as restricted, having most recent time stamp can be a strong witness of the attacks.The results from this module are elaborated here [Table 10].
Hence, it is natural to realize that the proposed automated framework can identify and prevent the attacks with 100% accuracy.
Further, with the detailed presentation and discussion on the results, this work presents the final conclusion of this work in the next section.

Algorithm- 2 :
Security Policy Management & Deployment (SPMD) Step -1.If T1 & T2 & T6 are True a. Match traffic pattern and disconnect the clients with high data requests b.Restore the security access points c.Update routing table Step -2.If T2 & T3 & T4 are True a. Restore the security access points b.Update resource graphs c.Disconnect the IP address with unauthorized requests Step -3.If T4 & T7 are True a. Match traffic pattern and disconnect the clients www.ijacsa.thesai.orgwith high data requests b.Disconnect the IP address with unauthorized requests c.Match NDA and terminate application Step -4.If T5 & T6 are True a. Update Architecture graphs b.Update routing table Step -5.If T6 & T7 are True a. Update routing table b.Match NDA and terminate application Step -6.If T4 & T8 are True a. Disconnect the IP address with unauthorized requests b.Update session keys, public and private keys Step -7.If T3 & T5 are True a. Update resource graphs b.Update Architecture graphs

Fig. 1 .Algorithm- 3 :
Fig. 1.Proposed Automatic Framework for Detection and Prevention of the Cloud Attacks

TABLE I
Further the detection of the characteristics from the client access requests must be performed; hence the first proposed algorithm for request characterization is furnished here.

TABLE II .
ATTACKS AND PREVENTION MEASURES

TABLE VIII .
DATA TRANSFER RATE & ATTACK IDENTIFICATION